Radiant Systems and Computer World responsible for breach affecting restaurants – lawsuit

November 24, 2009
Dissent

There’s been a lot of coverage of the lawsuits against Heartland Payment Systems, a payment processor fined by both Visa and Mastercard for not being PCI-DSS compliant. Now a class-action lawsuit by seven restaurants claims that dozens of restaurants may have become victims of card fraud because systems provided to the restaurants by Radiant Systems and its Louisiana distributor, Computer World Inc., were not compliant with required standards. According to a statement provided to DataBreaches.net by Charles Hoff of the Law Offices of Charles Y. Hoff, PC, general counsel for the Georgia Restaurant Association and one of the attorneys acting as a legal advisor to the restaurants in the lawsuit, the plaintiffs “do not have any exact numbers from the Secret Service but have been told that it is believed that dozens of restaurants as well as some hotels were victims of security breaches.” Seven restaurants in Louisiana and Mississippi are named as plaintiffs in the lawsuit, including a Best Western, Mel’s Diner, Sammy’s Grill, Crawfish Town USA, Jone’s Creek Cafe, Don’s Seafood, and Picante’s Mexican Grill. In a separate, but related lawsuit, On the Half Shell and Boudreaux’s and Thibodeaux’s, sued Radiant Systems and Computer World in April. Keith Bond, owner of Mel’s Diner in Broussard, Louisiana says that he purchased the “Aloha” system in 2007. In the spring of 2008, one of the restaurant’s servers noticed a problem that the mouse seemed to be moving around out of their control. According to Bond, they called Computer World, who told them to disconnect their internet connection and that they would send someone out the next day. When the service tech examined the system, he reportedly removed and replaced the hard drive, but was “vague” about what was wrong with the system, reassuring them that the problem was now resolved. Less than one month later, the restaurant received letters from Visa and Mastercard that they had been breached, were being fined, and were required to arrange for a forensic audit with an approved auditor. According to Bond, Visa fined them $5,000 and debited the money from their account immediately. Mastercard fined them $100,000 but waived the fine [but see NOTE at bottom of story]. Bond says that 669 of his customers were affected by the breach, although he never heard any complaints from any of them and only knew of the breach because of Visa and Mastercard contacting him. Other restaurants involved in the lawsuit were reportedly not as lucky. Bond says that Sammy’s Grill had 45,000 customers whose cards were compromised over a three-year period, and that he knows of 19 businesses who had similar breaches while using the Aloha system. He suspects that there are many more restaurants who also experienced breaches of a similar nature. In a press release from the plaintiffs, Radiant Systems and Computer World Inc., are accused of having directly contributed to the breach by providing products that were not PCI-DSS compliant. 1) Restaurants were sold earlier model POS systems although they were represented to be new models; 2) Computer World used a remote access system that did not have adequate security patches – a violation of PCI-DSS standards; 3) Computer World used the same password for at least 200 operators in violation of PCI standards; 4) The distributor failed to remove prior sensitive customer credit data upon installation of Radiant POS systems, again in violation of PCI standards. Bond claims that in his case, when Secure Metrics performed the forensic audit, they discovered that the system had previously been installed as Sorano’s Salsa Company’s system. It’s not clear whether any personal or financial data were still accessible, but it was clear that the system was not new. Bond says that pcAnywhere came installed on his system so that Computer World could remotely access the system to service it. But as with every Computer World installation for every Aloha customer, Computer World allegedly used the default password, and all 200 installations used the same password, “computer.” According to Bond, the Secret Service discovered that a Romanian hacker had accessed all of the computers using the system and common password and installed keyloggers to capture the card data. The plaintiffs also claim that “Radiant and Computer World were warned by Visa in 2007 that their programs were non-compliant, but the restaurants were unaware of these warnings at the time they purchased the Aloha system.” The plaintiffs are seeking damages to cover all of the expenses they incurred. Both Radiant Systems and Computer World were contacted for a response to the press release issued yesterday by the plaintiffs. C. York Craig, III, of the law firm representing Computer World, Forman Perry Watkins Krutz & Tardy LLP, sent the following statement: Computer World, through its New Orleans attorney, Joseph B. Morton, III of Forman Perry Watkins Krutz & Tardy LLP, denied the assertions of the plaintiffs. Morton stated, “We prefer to handle these matters in the proper forum. Computer World is confident that when all of the evidence is examined in a court of law, it will be established that Computer World fulfilled its contractual obligations, appropriately installed/monitored the POS hardware and software, complied with all government requirements and was very responsive to the needs of its clients.” As of the time of this posting, Radiant Systems did not reply to DataBreaches.net’s inquiry (SEE UPDATE, BELOW). Bond says that a motion by Radiant Systems to break up the class action lawsuit was dismissed by a judge yesterday, and that the lawsuit has been allowed to go forward as a class-action lawsuit. Bond informs DataBreaches.net that as a result of the breach, another one of the plaintiffs gave up on using credit cards altogether rather than incur the costs of a forensic audit and fines by Visa and Mastercard. As for Bond himself, after incurring $19,000 in forensic audit fees, several thousand dollars in fees for an IT consultant to implement the auditor’s recommendations, $20,000 in chargebacks, attorney fees, miscellaneous fees, and $5,000 in fines from Visa (see […]

The Fisherman’s Restaurant notifies employees after contractor error results in their data being transmitted to another restaurant

October 24, 2013
Dissent

Back in 2009, I reported on some hacks in the hospitality sector involving Radiant Systems’ point of sale technology and one of their distributors in Louisiana. But it was their back office technology service that was involved in a breach recently disclosed by The Fisherman’s Restaurant to its employees. By letter dated October 8th signed by both John Pearson of Radiant Systems and Bob Novello of The Fisherman’s Restaurant, employees were informed that on September 23, Radiant discovered that employees’ personal information had been transmitted to another Radiant Systems restaurant customer. The erroneous data transmissions began on or about May 3 and continued through September 24. The employees’ personal information may have included their name and nickname. postal address and telephone number, date of birth, Social Security number, gender, veteran status, some employment status information, marital status, and number of dependents. Upon discovery, Radiant “took steps to stop the erroneous data transmission and worked with the recipient to delete your personal information from its systems,” employees were informed. The letter also informed employees that no evidence of any misuse of the information was detected. Affected employees were offered free enrollment in Experian ProtectMyID Alert. The letter, a copy of which was posted on California’s breach site, does not explain how the problem occurred. Was this a new account for Radiant, or was there some upgrade or change in an existing system that caused the misdirected transmission? Nor is it clear why the recipient of The Fisherman’s Restaurant’s employee data didn’t spot the error in May and contact Radiant immediately.

Julie’s Place hack: an all-too-familiar story by now

September 20, 2010
Dissent

This breach was first reported earlier this month, but I seem to have missed it: About 100 people found out over the last couple weeks that someone else had accessed their bank account, taking their money and leaving them stunned. […] After being flooded with reports of fraud, the Leon County Sheriff’s Office began to investigate and found that the computer system at the restaurant Julie’s Place had been hacked and someone, somewhere had full access. Read more on WCTV. In follow-up coverage today in the Tallahassee Democrat, the owner reportedly claims that he was told that the breach involved an Aloha POS-specific malware: The company that provided the Aloha card terminal also found evidence of where the intruder got past the system’s firewall and was able to remotely access the terminal and steal the customers’ information. “They found malware that was specifically for this Aloha system,” he said of the technicians’ evaluation. Since then, he has had the entire system changed out and security features upgraded to prevent a recurrence. Radiant Systems’ Response DataBreaches.net contacted Radiant Systems, manufacturers of the Aloha POS systems, about the statement that the malware was “Aloha-specific” in any way. Ernie Floyd, Director of Data Security and Compliance for Radiant stated that there was no unusual or Aloha-specific malware, and that as in other cases, when cybercriminals find systems with remote access software in listening mode, they then probe for the presence of payment applications that would indicate that card data might be available. If they find it, they then upload the malware to scrape the card data. In the case of Julie’s Place, Floyd said that the system had PCAnywhere in listening mode and no commercial-grade firewall. Floyd says that although it was not available at the time of this particular breach, the company has a developed two-factor authentication tool for support services. According to him, the firm and its resellers have really been trying to educate restauranteurs that having PA-DSS validated software is simply not sufficient if there is no commercial grade software or if the rest of the environment is in shambles. Breaches in the Hospitality Sector Are Up Floyd also confirmed my impression that breaches in the hospitality sector are up this year. At a Visa symposium in June, attendees were reportedly informed that although Q1 was a slow quarter in terms of breach reports, Q2 was more active than any quarter in 2009. A Trustwave SpiderLabs representative also reported that by August, they had already conducted more post-breach forensic evaluations than they had for the entire year in 2009. Trustwave SpiderLabs typically handles about half of all forensic evaluations in the hospitality sector.

Restauranteurs threaten to sue POSitouch and NJ reseller

May 27, 2010
Dissent

Yesterday’s press releases brought news of another potential lawsuit involving the restaurant industry and a POS vendor and reseller. I recognize the attorneys’ names as the same attorneys who filed suit on behalf of some Louisiana restauranteurs against another POS vendor, Radiant Systems, and their reseller, Computer World, last year. According to the press release, this potential lawsuit would be against Restaurant Data Concepts, Inc. of Warwick, Rhode Island, vendors of the POSitouch system, and CC Productions of Hoboken, New Jersey, the reseller. At the core of the allegations in the developing lawsuit: 1) POSitouch’s POS system failure: The facts emanating from a forensic audit reveal that POSitouch sold a system that was non-compliant with PCI-DSS. 2) CC Productions’ mismanagement: This POSitouch reseller engaged in flagrant violations of PCI standards that gave rise to the security breaches. When companies such as CC Productions engage in the support and management of a merchants’ POS application system they need to ensure that they are not engaging in suspect actions that open up the ports so that hackers may penetrate the entire system through malware. […] While the exact amount of the identify theft losses to banks, the financial losses to the restaurants, fines, investigatory costs, fines imposed by the credit card companies and other costs attributed to fixing the computer systems’ security breaches are still being tallied, the lawsuit is seeking compensation to repay the penalties levied by the credit card companies and the massive costs to track down and repair the POS system problems. According to the attorneys, damages “could run well into seven figures.” I’ve sent out inquiries to the lead attorney and to Restaurant Data Concepts and will be following any developments in this case on this site. At this point, I’m not even sure whether we already knew about any of these incidents but the coverage didn’t mention the POS, or if most of the breaches alluded to flew under the media radar. Update of 5-28-10: See POSitouch’s response here.

Reports of San Antonio restaurant hacks may be overblown

May 25, 2010
Dissent

When Aldaco’s Stone Oak on Sonterra Blvd. in San Antonio revealed that it had been hacked by someone believed to be overseas, owner Blanca Aldaco stated that they used the most current versions of the Aloha POS by Radiant Systems. Rumors started swirling shortly thereafter that a number of restaurants in the tight-knit restaurant community who use the Aloha POS had also been hacked, but when the dust started settling, it appears that so far, only Aldaco’s and possibly one other restaurant may be affected. San Antonio resident R Brooks tells DataBreaches.net that he found out about the breach the hard way — when his card was declined while shopping. He contacted Security Service Federal Credit Union and was told that a compromise had occurred and that MasterCard had flagged his account. A spokesperson for the credit union informs DataBreaches.net that they canceled and replaced 350 customers’ cards last week. Most of the card replacements were made proactively, but 50 of their customers had reported fraudulent charges on their cards. All of the cards involved in the replacement had been compromised by the Aldaco’s breach and the credit union is not aware of any other establishments being hacked. One other local establishment believes that they may have been hacked, too. Local Coffee’s owner tells DataBreaches.net that he was notified by one of his customers last Friday that their card had been compromised after they had used it there. That customer’s credit union, Randolph-Brooks, had reportedly notified them that they were canceling the customer’s debit card because there had been some fraudulent charges on debit cards that had been used at a few restaurants in the area. “Friday was one of our best days ever in terms of business, and then this happened,” the owner told DataBreaches.net. Responding quickly to protect their customers, Local Coffee stopped using their system immediately, called the police to report the incident, and like Aldaco’s, reverted to dial-up. They also posted a notice on its web site: We believe our business has had a breach of data likely to be very similar to another Stone Oak Business. We are working with the SAPD Fraudulent Unit, Radiant Systems, RBS WorldPay and Aloha to further investigate where this breach occurred and to ensure it cannot happen in the future. This is a much larger operation and not the result of any wrong doings by an LC employee. We are frustrated if this has impacted our loyal customers and inconvenienced them in anyway. Please contact the credit card company immediately that was used at our location to ensure your account has not been compromised and request a new card for security (it seems to be affecting only debit cards, but still call to verify). LC has the latest versions of Aloha software in order to maintain compliance and prevent any compromise of data. This was unfortunately something we could not have seen happening. Until we are more than 100% this situation is resolved we have gone to dial-up for authorization to prevent further breeches, so please bare with us for the small inconvenience this may have, but our customers security is extremely important. We will continue to update our customers with any information we find out in regards to this situation, so you are confident with the steps we are taking to prevent this in the future. The buzz that multiple restaurants using Radiant Systems’ Aloha POS had all been hacked may be a result of a number of hacks of restaurants in Louisiana last year, but two other restaurants specifically mentioned to DataBreaches.net as having been hacked both deny that they have had any problems and Radiant’s local reseller says that they haven’t heard from any other customers that they’ve been hacked. The San Antonio detective investigating the reports did not return a phone call seeking additional information. Nor did Randolph-Brooks Federal CU return a call asking for additional information. In an interview with Jimmy Fortuna, Vice-President of Product Development for Radiant Systems, Fortuna informed DataBreaches.net that Radiant’s San Antonio reseller, Forum Systems Group, will be hosting a symposium in San Antonio at the Airport Hilton on Thursday for small business owners to talk about the changing threat landscape and how small businesses can protect themselves. “Small businesses often believe that threats don’t include them because they’re too small to care about,” Fortuna said, “but 80% of attacks in the past year have been on small businesses.” Fortuna sees the current situation as an opportunity to educate owners while people are motivated and paying attention to security. Radiant’s Aloha POS is a very popular software in the San Antonio area, and according to Fortuna, industry reports indicate that other vendors’ products are getting attacked as often as Radiant’s. As for me, having spent two days trying to track down the reports to confirm or disconfirm them, I’m just sorry I’m not in San Antonio right now, as it looks like they have a fantastic assortment of restaurants and a wonderful coffee establishment that made me drool just looking at their coffee menu. If I get any more reports of hacked restaurants in the San Antonio that are confirmed, I’ll post them.

Looking back on 2009

January 3, 2010
Dissent

The breach of Heartland Payment Systems grabbed the headlines for much of the year and the entire population of Belize had their birth details stolen when a government employee left a laptop in a car, but what else went on? Your details, my friend, were blowing in the wind Although the number of breaches involving paper records does not appear to have increased from 2008 to 2009, by the end of the third quarter, paper breaches comprised more than one quarter of U.S. breaches reported in the media this year. The federal government sent a strong message when it fined CVS $2.25 million for violating HIPAA by improperly disposing of pharmacy records, but was anyone else listening? Doctor, doctor, give me the news Almost a year after it first reported receiving an extortion attempt with evidence that the extortionist had acquired members’ prescription records, pharmacy benefit management firm Express Scripts reported that the extortionist had acquired much more data than they originally believed. In April, the Virginia Prescription Monitoring Program database was hacked and they, too, received an extortion demand. As in past years, we saw some large breaches involving health insurers. Blue Cross Blue Shield reported two major breaches – one involving a stolen laptop and one involving stolen hard drives. To the irritation of a number of states attorney general, Health Net belatedly reported the loss of a hard drive with many members’ insurance or health-related information. Over in the U.K., it seemed that every month we were reading about yet another NHS unit that had breached the Data Protection Act and was now required to sign an “Undertaking” with the Information Commissioner’s Office. We also learned that an outsource transcription service in India was selling patient information. If the healthcare sector doesn’t make you ill, the malware will 2009’s “new math” was that hacking + malware = big trouble. The Heartland Payment Systems breach grabbed the spotlight on that in January, only ceding it temporarily when a 2008 RBS WorldPay resulted in a coordinated attack on over 2000 ATMs to the tune of $9 million in a few hours. Protesting their PCI-DSS compliance, the two processors were banished from card brands’ approved list, but within months, were restored to approved status. Malware also started rearing its head more in social media networks and online banking, and a number of small businesses found themselves taking their banks to court over funds that were stolen from their accounts. And of course, despite all of the scam alerts, some people fell for phishing attempts. That would be bad enough, but when you read that 46% of all Brits use the same login/pass for all of their accounts, the problems are magnified. On a positive note, several master cybercriminals such as Ehud Tenenbaum and Albert Gonzalez pleaded guilty to involvement in numerous large breaches, but not all of their accomplices have been apprehended and we have not been told about other payment processors that were under attack. In October, we started getting reports about a major breach in Spain that is affecting cardholders in Europe and beyond, but we have not yet been told whether it is a card processor or other entity that is the source of the breach and whether or not it involved malware. And as we struggled to learn names from Russia, Estonia, Romania, and Latvia, each week seemed to bring new headlines of ID theft rings that had been broken up by law enforcement. Many of the local rings did not involve malware, however, but used much more low tech approaches. 2009 was a “fine year” Among the most publicized fines for inadequate security or breaches: TJX paid almost $9 million to settle with 41 states attorney general, Heartland Payment Systems paid American Express $3.6M over its 2008 data breach and claimed that it is fighting MasterCard‘s more than $6 million fine. Over in the U.K., the Financial Services Authority (FSA) fined HSBC Life UK, HSBC Actuaries and Consultants, and HSBC Insurance Brokers more than £3m. The FSA also fined UBS £8 million. The U.S. Commodity Futures Trading Commission fined Interbank FX, LLC (Interbank) $200,000, the Financial Industry Regulatory Authority (FINRA) fined Centaurus Financial (CFI) $175,000, and the Securities and Exchange Commission fined Commonwealth Financial Network $100,000. It was also a busy year for states attorney general. In addition to the TJX settlement, CVS and Walgreens settled with Indiana’s Attorney General, while Payment Resources International paid a fine to the Vermont Attorney General. BNY Mellon was fined by the Connecticut Attorney General and Blue Cross was fined by the Delaware Insurance Commissioner. Kaiser Permanente was also socked with a few fines by California over employees snooping in celebrity patients’ files. That settles that! In 2009, the FTC settled charges against ChoicePoint, James B. Nutter, Comp Geeks/Genica (Compgeeks), and Rental Research Services, while the Texas Attorney General settled charges against Cornerstone Fitness and the Florida Attorney General settled charges against VICI Marketing. Class-action lawsuits in response to breaches generally continue to disappoint irate consumers, who seem to keep trying anyway. In 2009, most of the Hannaford Bros. breach lawsuit was dismissed, and an attempt to file a class-action lawsuit against Express Scripts was dismissed. Among the breach-related lawsuits that settled during the year were the 2006 stolen V.A. laptop lawsuit, D.A. Davidson lawsuit, a Heartland Payment Systems class action suit by consumers, and TJX settlements with some banks and 41 states attorney general. Other lawsuit settlements either received preliminary approval or were rejected: Countrywide Financial (approved), TD Ameritrade (rejected), and the Olive Garden FACTA lawsuit (approved). But consumers weren’t the only ones disappointed by lawsuit outcomes in 2009. Cumis was dealt a blow when the Massachusetts Supreme Court ruled that BJ’s Wholesalers and Fifth Third Bank were not liable to Cumis for the costs it incurred after the BJ’s breach. Also new in 2009: two groups of restauranteurs filed lawsuits against Radiant Systems, alleging that the vendor’s software was not compliant and was responsible for the […]

La. restaurants suffering credit card ‘nightmare’

December 28, 2009
Dissent

Jason Brown of The Advocate has a story today about restauranteurs’ lawsuits against Radiant Systems and Computer World, a lawsuit covered previously on the blog. Of note, Brown cites a Secret Service agent involved in the case: Luiz Velez, resident agent in charge of the Secret Service’s Baton Rouge office, said each hack involved restaurants using Internet-based computer systems. Velez said more than 100,000 cards were exposed and conservatively placed the fraud loss for area banks at about $1.2 million. Although 100,000 cards and $1.2 million might not sound huge when contrasted to mega-breaches like Heartland Payment Systems’ breach, this particular breach reportedly caused at least one restaurant to close its doors and another to give up taking credit cards. And of course, we only know about less than a dozen or so restaurants. Could there be other restaurants using this POS software that also had breaches that we haven’t learned about yet? It seems likely. Charles Y. Hoff, general counsel for the Georgia Restaurant Association and one of the attorneys assisting in the Lafayette lawsuit, said he has received a multitude of calls from restaurant owners all over the country regarding similar claims. “It is not isolated and it is something that is a real concern on a national level,” Hoff said.

Apres le breach, yet another call for greater cooperation to fight data theft

December 19, 2009
Dissent

And the year draws to a close as it opened: with a call for greater cooperation in preventing security breaches. At the beginning of the year, it was Heartland Payment Systems. Now, following lawsuits against it by restauranteurs in Louisiana who were hacked while using one of its POS applications, Radiant Systems is trying to sound its own clarion call for greater cooperation among those involved in processing transactions. In a press release issued yesterday, the company writes: “Our vision is to encourage all involved in transaction processing to move from a mindset of independent compliance to one of collaborative security that will greatly reduce the risk of data theft,” said John Heyman, chief executive officer at Radiant Systems. “We believe the current data security blueprint in the payments industry is designed with many constraints in mind and therefore is not able to go far enough.” […] “We have expanded the responsibilities of Jimmy Fortuna, vice president of product development for the hospitality division at Radiant Systems, to now include industry data security,” added Heyman. Fortuna brings 10 years of industry experience to this role. “Jimmy will work inside and outside the walls of our company to fight for increased levels of data security in the retail and restaurant industries.” Radiant is investing in these activities to help define new standards across the payment process, educate businesses on how to reduce theft by meeting the current 12-step Payment Card Industry Data Security Standard (PCI DSS) requirement process, and build new technologies outside its POS software to combat theft. To date, Radiant has declined to discuss any specifics involving the lawsuits against it, and details of the hacks have come only from the restauranteurs, leaving many questions unanswered. What did Radiant do in 2007 when its earlier Aloha systems were declared noncompliant? Did it notify all distributors to stop selling those systems and did anyone contact customers to alert them and advise them? Following an August 2008 meeting between Visa, the Secret Service, and Louisiana restauranteurs, Radiant issued a security alert. But what had it done before then to ensure that customers who used their platform were aware of the problems? Yes, it is ultimately the merchant’s responsibility to remain compliant, but it’s unrealistic to expect small merchants to search for or read bulletins that may or may not apply to them. As Radiant looks to prevent future problems, what is Radiant suggesting be done going forward? Will Radiant go so far as to recommend that vendors be required to commit to notifying customers of security alerts? If not, what will Radiant agree to support? If a car has a safety defect, it is the car manufacturer’s responsibility to notify customers to bring their car in. We don’t expect car owners to check the manufacturer’s site or the Highway Safety web site to find out if their car poses a hazard to them. Why doesn’t the same notion of responsibility apply here? Or does it already? Whether Radiant’s call is simply an attempt at PR in response to the bad press they have received over the lawsuits or a serious commitment that they will follow up on remains to be seen and I expect we’ll see some “lessons learned” as an outgrowth of this incident. But will it be enough to significantly reduce the likelihood of future breaches? As long as there continues to be intensive efforts to cover up breaches or to prevent the public from finding out the full scope of breaches, I doubt it. Photo credit: “Clarion call” by lonecellotheory, Flickr, used under Creative Commons License.

The Merchants Strike Back?

December 7, 2009
Dissent

David Navetta has a thought-provoking article over on InformationLawGroup that begins: With the recent news of several restaurants teaming up to sue point-of-sale system provider Radiant Systems (a copy of the complaint can be found here) for failing to comply with the PCI Standard, it appears that some merchants may be in a mood to strike back in the aftermath of a payment card security breach. This lawsuit comes in the wake of a couple lawsuits against payment card security assessor Savvis for allegedly failing to properly validate a processors’ Visa CISP compliance (admittedly in this case it is the merchant bank suing the assessor, but a similar cause of action could exist for a merchant if its assessor makes a mistake in verifying PCI compliance). While two instances certainly don’t indicate a trend, they do indicate a potential route that merchants may consider to deflect liability arsing out of a payment card security breach. It is possible that we will see more lawsuits by merchants against service providers, payment processors, and application/point-of-sale system providers in the coming months and years. Part of the reason is that the PCI regulatory system imposes a form of “strict liability” on merchants that suffer a security breach. Fines, penalties and the availability of recovery processes are contingent (in part) on whether or not a merchant was PCI-compliant at the time of the breach (see e.g. Visa’s ADCR). Thus, when a Qualified Incident Response Assessor (“QIRA”) comes in after a credit card breach to do an audit one of its main tasks (if not its primary goal) is to ascertain whether the merchant was PCI-compliant. Lost in the shuffle sometimes, however, is the issue of “causation.” The question that is not being asked is whether or not PCI compliance would have prevented the breach, or whether the lack of PCI-compliance was the cause of the breach. In other words would PCI-compliance have made a difference. In some cases the answer is obvious. For example, if a merchant is holding onto sensitive authentication information, clearly PCI compliance (which requires the deletion of such data after a transaction) would have precluded a payment card breach. In other situations, however, the answer might not be as clear cut. Read more here.

Welcome Computerworld readers

December 2, 2009
Dissent

As Robert McMillan of IDG News Service kindly pointed out, this site initially reported the lawsuit against Radiant Systems and its distributor, Computer World Inc., over a week ago. If you’re new to this site, you can find that story here. In a subsequent post, I mentioned some other restaurants that had been hacked while using the Aloha POS and pointed out that it seems that Visa and the Secret Service knew about a connection to Aloha by August 2008 but that many restauranteurs using the system did not seem to know. One “smoking gun” in the lawsuit against Radiant and its distributor may be a letter that Visa allegedly sent to Radiant Systems in 2007 about the system and PCI-DSS compliance. Plaintiffs in one of two class-action lawsuits say that they had no knowledge in 2007 or prior to being hacked in 2008 that Visa had any concerns about Aloha POS and believed that they were using a compliant system. So what happened to that letter and was a specific Aloha-related alert ever sent to acquirers and on to merchants? If and when I can find out more, I’ll post it. While you’re on the site, feel free to look around. You may be surprised at the number of breaches reported here on a daily basis that you may not be learning about on other sites. For example, do you know which country recently had a breach that resulted in the birth certificates for everyone in the country being stolen? You can read it here.